Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM integration with Solaris 10 using BSM

LEM integration with Solaris 10 using BSM

Table of contents

Updated October 7th, 2016

Overview

LEM integration with Solaris 10 using BSM

Environment

  • LEM 6.2
  • Solaris 10

Steps

Solaris 10 BSM Setup

Instructions

This document describes how to configure Solaris 10 “Basic Security Module” (BSM) to log via syslog. The SolarWinds LEM agent for Solaris can then read this file via the Solaris BSM tool. We will outline the steps necessary to configure BSM to do this along with a reference section with more detailed information about the various options. We will assume that BSM is already installed on the Solaris 10 server. Solaris versions 8 and 9 need additional software installed in order for BSM to log via syslog (Snare) and will not be covered in this document.

 

Configure BSM to send to syslog

You will need to have root access to the Solaris server. This process will require the reboot of the server.

  1. Assume a role that includes the Audit Control profile or become superuser and open a terminal window if you have not already.
  2. Run the script that enables the auditing service.

# cd /etc/security

# ./bsmconv
This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? y/n *y* bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation.

The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.

  • NOTE: Do NOT reboot yet. We still need to adjust some settings first.
  • Save a backup copy of the audit_control file.

# cp /etc/security/audit_control /etc/security/audit_control.orig

  1. Modify the audit_control file found in /etc/security to include flag settings for what you wish to audit and to log events via syslog. Sample settings are listed below.

# vi /etc/security/audit_control
... dir:/var/audit flags:am,cl,ex,fc,fd,fm,lo,pc,ss,ua minfree:20 naflags:lo plugin:name=audit_syslog.so.1; p_flags=am,cl,ex,fc,fd,fm,fr,fw,lo,pc,ss,ua

  • NOTE: These settings are for success and failure. If you precede a setting with a dash ( i.e. --lo,-ex ) then the system with report failures only. More information about each flag provided at the bottom of this document. 
  1. Save a backup copy of the syslog.conf file.

# cp /etc/syslog.conf /etc/syslog.conf.orig

  1. Add an audit.notice entry to the syslog.conf file. The log location is included in the entry.

# vi /etc/syslog.conf
… audit.notice /var/adm/auditlog

  1. Create the log file.

# touch /var/adm/auditlog

  1. Reload the syslog service with the new changes.

# svcadm refresh system/system-log

  1. Save a backup copy of logadm.conf

# cp /etc/logadm.conf /etc/logadm.conf.orig

  1. Auditing generates a lot of information, so we will need to make and entry for log maintenance.

# vi /etc/logadm.conf
… /var/adm/auditlog --C 8 --a ‘kill --HUP `cat /var/run/syslog.pid`’

  • NOTE: This will keep the last 8 days of audit logs.
  1. Reboot the Solaris server to activate changes.
  2. Log back in to the server and check for audit activity. You should see some entries in the auditlog file.

# tail /var/adm/auditlog

  • NOTE: If the file is blank, consult your Solaris documentation. “System Administration Guide: Security Services” Chapter 30 or your Solaris support provider.

 

Configuring the Agent and Connector

  1. If you haven’t already, install the LEM Solaris agent on the machine.
  2. Once the agent has successfully connected in your Console, go to Manage>Agents, select the agent, and choose Gear>Connectors.
  3. Under Operating Systems, choose the Solaris 10 BSM Auditing tool and click Gear>New. Create a new connector configuration, and verify that the Log File path is pointed to the correct path for your audit log.
  4. Save and click Gear>Start to start the tool. Log out of the Solaris server and back in to generate some log entries and verify that you see them in the Console.

 

Audit Reference

Suggested Audit Classes

Abbrev

Description

am

Administrative Actions (meta-class)

cl

Close System Call

ex

Program Execution

fc

Create Object

fd

Delete Object

fm

Change of Object Attribute

fr

Read Data, open for reading

fw

Write Data, open for writing

lo

Login and Logout events

pc

Process (meta-class)

ss

Change System State

ua

User Administration

We suggest you do NOT audit the following Audit Classes

Abbrev

Description

all

All classes (meta-class)

ap

Application-defined events

fa

Access of object attributes

io

ioctl() System Calls

ip

system VIPC operations

na

Nonattributable events

nt

Network events: bind, connect, accept

ot

Miscellaneous, such as device allocation and memcntl()

Integration of Solaris and Snare 

Due to the type of internal logging carried out by Solaris, one of the two solutions must be applied before Solaris can be integrated into LEM: A. Snare agent is installed on Solaris, followed by a LEM agent, or B. BSM is installed on Solaris, followed by a LEM agent.

 

 

Last modified

Tags

Classifications

Public